I need PHP best practice adv(Submit,Validate,Insert,Inform)
Posted: Wed Jan 13, 2010 1:02 pm
Hello!
I need a very simple and PHP best practice advice or links to a tutorials that explains the topic in a very very simple way.
The task is to Submit the Form, Validate parameters, Insert data into database.
My questions are: The best place to submit form data, the best way to validate form Strings (disregard email formats or data formats) before inserting them into database table. The best way to make sure that the data is actually recorded into a table. The friendly way to notify user about the successful or not successful operation.
1. Submit HTML for to PHP file
My questions here: which way is more efficient to Submit form to $ _SERVER [ 'PHP_SELF'] or to a Controler.php which will validate provided input and then use DAO to record Data into database or redirect user to form.php and ask him to provide valid information. A disadvantage that I see here is redirecting. An advantage I see here is my Controler logic is in a separate file.
2. What is the best way to validate user input before recording data to Database to prevent hacking?
After reading on PHP.net I selected three necessary functions that my Strings need to run thru before getting into database. And these are:
String $paramValue = htmlspecialchars(stripslashes($_GET[$name]));
$paramValue = str_ireplace("script", "blocked", $paramValue);
$paramvalue = mysql_escape_string($paramvalue);
What are your thoughts and experience. Are these all needed to secure my INSERT or UPDATE from Hacking(SQL injection)?
3. I realized that the best way to keep passwords is outside the public folder. And then read the file and get the user name and password to be user for accessing Database.
Will it be a bad practice if I keep my username and password in DAO as private constants.
class DAO {
var $dbhost = "localhost:3306";
var $dbuser = 'user';
var $dbpass = "password";
var $conn=null;
var $dbname = 'dbname';
var $result=null;
public function openConnection() {
$this->conn = new mysqli($this->dbhost, $this->dbuser, $this->dbpass,$this->dbname);
if( mysqli_connect_errno( ) ) throw new Exception("Could not establish connection with database") ;
}
}
Or keep username and password in DAO_Base class and then have DAO extend the DAO_Base for DAO to have user name and password accessible. This way I can have UserDAO, ClientDAO, NewsDAO all extend one class and have username and password kept in one place.
Is it a good practice? I am looking for good and simple and secure. Not the best complicated.
4. After running a Prepared Statement to insert to data into database. What is the best way and quick way to check if the row has been affected and data is in?
Example:
$sql = "INSERT INTO news (title) VALUES (?)";
$statement = $this->conn->prepare($sql);
if(!$statement) throw new Exception($statement->error) ;
$statement->bind_param("s",$newsVO->title);
$returnValue = $statement->execute();
As far as I understand a statement can be executed for Update or Insert and return value would be ‘1’. But it does not actually mean that the value is INSERTED or Updated. It simply says that the statement is executed. How to check how many rows are actually affected? What is the best way?
I hope this post is not to long. I am very interested to learn the best practices to do this days programmers tasks and want to hear your opinion.
And… I need it in plain PHP with no frameworks used. These questions is not an assignment from University or something. It is just my intention to master PHP fast by studying best practices and asking people about their experience. I am an entry level programmer.
Thank you and I am very interested to hear your opinions.
I need a very simple and PHP best practice advice or links to a tutorials that explains the topic in a very very simple way.
The task is to Submit the Form, Validate parameters, Insert data into database.
My questions are: The best place to submit form data, the best way to validate form Strings (disregard email formats or data formats) before inserting them into database table. The best way to make sure that the data is actually recorded into a table. The friendly way to notify user about the successful or not successful operation.
1. Submit HTML for to PHP file
My questions here: which way is more efficient to Submit form to $ _SERVER [ 'PHP_SELF'] or to a Controler.php which will validate provided input and then use DAO to record Data into database or redirect user to form.php and ask him to provide valid information. A disadvantage that I see here is redirecting. An advantage I see here is my Controler logic is in a separate file.
2. What is the best way to validate user input before recording data to Database to prevent hacking?
After reading on PHP.net I selected three necessary functions that my Strings need to run thru before getting into database. And these are:
String $paramValue = htmlspecialchars(stripslashes($_GET[$name]));
$paramValue = str_ireplace("script", "blocked", $paramValue);
$paramvalue = mysql_escape_string($paramvalue);
What are your thoughts and experience. Are these all needed to secure my INSERT or UPDATE from Hacking(SQL injection)?
3. I realized that the best way to keep passwords is outside the public folder. And then read the file and get the user name and password to be user for accessing Database.
Will it be a bad practice if I keep my username and password in DAO as private constants.
class DAO {
var $dbhost = "localhost:3306";
var $dbuser = 'user';
var $dbpass = "password";
var $conn=null;
var $dbname = 'dbname';
var $result=null;
public function openConnection() {
$this->conn = new mysqli($this->dbhost, $this->dbuser, $this->dbpass,$this->dbname);
if( mysqli_connect_errno( ) ) throw new Exception("Could not establish connection with database") ;
}
}
Or keep username and password in DAO_Base class and then have DAO extend the DAO_Base for DAO to have user name and password accessible. This way I can have UserDAO, ClientDAO, NewsDAO all extend one class and have username and password kept in one place.
Is it a good practice? I am looking for good and simple and secure. Not the best complicated.
4. After running a Prepared Statement to insert to data into database. What is the best way and quick way to check if the row has been affected and data is in?
Example:
$sql = "INSERT INTO news (title) VALUES (?)";
$statement = $this->conn->prepare($sql);
if(!$statement) throw new Exception($statement->error) ;
$statement->bind_param("s",$newsVO->title);
$returnValue = $statement->execute();
As far as I understand a statement can be executed for Update or Insert and return value would be ‘1’. But it does not actually mean that the value is INSERTED or Updated. It simply says that the statement is executed. How to check how many rows are actually affected? What is the best way?
I hope this post is not to long. I am very interested to learn the best practices to do this days programmers tasks and want to hear your opinion.
And… I need it in plain PHP with no frameworks used. These questions is not an assignment from University or something. It is just my intention to master PHP fast by studying best practices and asking people about their experience. I am an entry level programmer.
Thank you and I am very interested to hear your opinions.